Air Canada (ADH2) has admitted that some 20,000 of its customers may have had their personal information, including passport details, “improperly accessed” due to a recent breach in the airline’s mobile app.

In a notice on its website, Air Canada (ADH2) said on August 28, 2018, it detected “unusual login activity” between August 22-24, 2018, and “immediately took action”, locking down all 1.7 million of its users’ accounts as a security precaution.

Although it is not clear how the data breach occurred, the airline has already been criticized for its relatively weak password system. The 1.7 million users have been instructed to reset their passwords according to the updated password guidelines, in order to access the app again.

The company believes that data has been stolen from about 1% or 20,000 of its customers’ accounts. It says it has contacted the potentially affected customers directly by email starting from August 29, 2018, to inform them whether it has been determined that their account had been breached.

The Air Canada (ADH2) mobile app stores basic information, such as the user’s name, email and phone number. Any credit card data is encrypted and and stored in compliance with security standards set by the payment card industry or PCI standards, the company assures.

However, other information, such as Aeroplan number, passport number, gender, birthdate, nationality, passport expiration date, passport country of issuance and country of residence, could have been accessed if users saved them in their account profile.

“Some data, such as names or emails, may have been visible if an unauthorized user was able to gain access to an account,” spokeswoman for the airline, Isabelle Arthur, told Canadian news media Financial Post.

According to the Canadian government, the risk of a third party obtaining a passport in someone else’s name is low if the person still has their passport, proof of citizenship and supporting identity documents.

But the City of London's Action Fraud team told the BBC that the "consequences of having your passport information accessed can be severe", since banks, insurance firms and mobile phone providers request the data to set up accounts, but do not always require to see the physical document.

Air Canada (ADH2) has recommended that its customers "regularly review their financial transactions, be aware of any changes to their credit rating, and contact their financial services provider immediately" if they notice any unusual activity